james tsao owasp exco member and program …gary kung, scbcd, scwcd, scws, ocp owasp exco member and...
TRANSCRIPT
![Page 1: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.vdocuments.us/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/1.jpg)
Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP (Hong Kong Chapter)(The Open Web Application Security Project)WebGoat & WebScarab
James TsaoOWASP Exco member and Program [email protected]
Gary Kung, SCBCD, SCWCD, SCWS, OCPOWASP Exco member and Program Committee [email protected]
![Page 2: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.vdocuments.us/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/2.jpg)
OWASP
Developer’s Viewpoint
Disconcerting and worrying – web apps seems so easy to break!Fortunately – ways to combat them ☺Developer’s Best Friends
Know your HTTPBecome familiar with methods of exploits (e.g. come to OWASP seminar)Tools to help you debug and test against vulnerabilities
![Page 3: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.vdocuments.us/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/3.jpg)
OWASP
Know Your HTTP
Browser / HTML based appsWAP / WML based appsiMode / cHTML based appsWeb Services
![Page 4: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.vdocuments.us/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/4.jpg)
OWASP
WebScarab
OWASP ProjectHTTP and HTTPS analyzer (proxy)Developer’s debug tool, Security Specialist vulnerability inspection toolUse it with the right intentions!http://www.owasp.org/software/webscarab.html
![Page 5: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.vdocuments.us/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/5.jpg)
OWASP
Plugins
ProxyingManual InterceptReveal Hidden Fields (create example)Spider
… many more
![Page 6: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.vdocuments.us/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/6.jpg)
OWASP
WebScarab
Standalone mode, download and execute using java –jar
![Page 7: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.vdocuments.us/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/7.jpg)
OWASP
WebGoat
OWASP Projecthttp://www.owasp.org/software/webgoat.htmlFully featured Java Web Application (Tomcat)Useful ‘toy’ for you to learn, and exploit (safe in the fact that no one will sue you for hacking ☺)Tutorial style – lesson by lesson.Break the Challenge!
![Page 8: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.vdocuments.us/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/8.jpg)
OWASP
WebGoat from OWASP (www.owasp.org)
![Page 9: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.vdocuments.us/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/9.jpg)
OWASP
Good Design is Worth it!
Ease development of combative measuresEnterprise Developer Vs Hobbyist Developer
Apply sound software design patternsDon’t reinvent the wheel -use popular application
frameworks!Don’t get distracted by the ‘quick & dirty’ way to
code production apps, they will come back and haunt you (and your bosses).